Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71350

CVE-2025-71350: Picklescan RCE Vulnerability

CVE-2025-71350 is a remote code execution flaw in picklescan that fails to detect malicious pickle files using torch.utils.collect_env.run function. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-71350 Overview

CVE-2025-71350 affects picklescan versions before 0.0.28, a security scanner designed to detect malicious code embedded in Python pickle files. The scanner fails to identify malicious payloads that leverage the torch.utils.collect_env.run function inside pickle __reduce__ methods. Attackers can craft pickle files that bypass picklescan detection and execute arbitrary shell commands when a victim loads the file with pickle.load or torch.load. This vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) and directly impacts machine learning workflows that rely on picklescan to vet model artifacts from public repositories such as Hugging Face.

Critical Impact

Attackers can distribute weaponized PyTorch model files that pass picklescan checks and execute remote commands on victim systems during model loading.

Affected Products

  • picklescan versions before 0.0.28
  • PyTorch-based workflows using picklescan for pre-load model verification
  • ML pipelines that ingest untrusted .pkl or .pt files from public model hubs

Discovery Timeline

  • 2026-06-30 - CVE-2025-71350 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2025-71350

Vulnerability Analysis

The vulnerability resides in picklescan's allowlist and detection logic for dangerous callables invoked inside pickle __reduce__ methods. Python's pickle protocol allows any object to define a __reduce__ method that returns a callable and arguments to be executed during deserialization. Security scanners like picklescan enumerate known-dangerous functions such as os.system, subprocess.Popen, and eval to flag suspicious pickle streams.

However, picklescan before 0.0.28 does not recognize torch.utils.collect_env.run as a code execution primitive. This function, part of the PyTorch environment collection utility, internally invokes subprocess.Popen to run shell commands. When placed inside a __reduce__ return tuple, it produces the same effect as calling subprocess directly, but evades static detection.

Root Cause

The root cause is an incomplete deny list of dangerous callables. picklescan relies on an enumerated set of known-unsafe functions to identify malicious pickle content. Any function not present in that list, including indirect wrappers around subprocess such as torch.utils.collect_env.run, is treated as safe. This is a fundamental limitation of allowlist- and denylist-based approaches to deserialization safety.

Attack Vector

An attacker uploads a malicious pickle or PyTorch model file to a public model repository or delivers it via phishing. The pickle payload defines a __reduce__ method that returns (torch.utils.collect_env.run, ("attacker_command",)). When the victim scans the file with picklescan, no threats are reported. When the victim subsequently calls pickle.load or torch.load, the embedded command executes with the privileges of the loading process. Refer to the Vulncheck Advisory for Picklescan for full technical details.

Detection Methods for CVE-2025-71350

Indicators of Compromise

  • Pickle or PyTorch model files containing references to torch.utils.collect_env.run in their opcode stream
  • Unexpected child processes spawned by Python interpreters immediately after torch.load or pickle.load calls
  • Outbound network connections originating from ML training or inference hosts shortly after model loading
  • Presence of picklescan versions below 0.0.28 in requirements files or virtual environments

Detection Strategies

  • Inspect pickle files with pickletools.dis and search for GLOBAL opcodes referencing torch.utils.collect_env
  • Upgrade to picklescan 0.0.28 or later and rescan all previously validated model artifacts
  • Enforce endpoint monitoring for shell processes descending from Python interpreters loading third-party models
  • Correlate model file hashes with known-good baselines from trusted internal registries

Monitoring Recommendations

  • Log all invocations of torch.load and pickle.load in production ML pipelines with source file provenance
  • Alert on any subprocess, sh, bash, cmd.exe, or powershell.exe process launched by a Python parent handling model files
  • Monitor egress traffic from ML training clusters for connections to non-approved destinations

How to Mitigate CVE-2025-71350

Immediate Actions Required

  • Upgrade picklescan to version 0.0.28 or later across all development, CI, and production environments
  • Rescan every third-party pickle and PyTorch model file previously validated by an older picklescan version
  • Restrict model loading to files sourced from internally controlled and cryptographically signed registries
  • Run model deserialization inside sandboxed containers with no outbound network access and minimal filesystem privileges

Patch Information

The maintainers of picklescan addressed the issue in version 0.0.28 by extending the detection ruleset to cover torch.utils.collect_env.run and related indirect execution primitives. Full remediation details are documented in the GitHub Security Advisory.

Workarounds

  • Migrate model serialization to safer formats such as safetensors, which do not permit arbitrary code execution during load
  • Load untrusted pickle files only inside isolated, non-privileged sandboxes with strict egress controls
  • Implement additional pre-load static analysis using pickletools to enumerate all GLOBAL opcodes and manually review external references
bash
# Upgrade picklescan to the patched release
pip install --upgrade 'picklescan>=0.0.28'

# Verify the installed version
python -c "import picklescan; print(picklescan.__version__)"

# Rescan model artifacts recursively
picklescan --path /path/to/models --recursive

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.